From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail2.tohojo.dk (mail2.tohojo.dk [IPv6:2a01:4f8:200:3141::101]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id 39DF621F1D6 for ; Sat, 22 Mar 2014 12:39:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at example.com Received: by alrua-x1.borgediget.toke.dk (Postfix, from userid 1000) id E4F961BDC9; Sat, 22 Mar 2014 20:38:50 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toke.dk; s=201310; t=1395517131; bh=o/uncQzqS6vggH34xTxLpBGEbV0w1ckzXzC+h8BdqV8=; h=From:To:Cc:Subject:References:Date:In-Reply-To; b=Yb8IZd4BUawGQsnQ4s4r4wzvmf2tDtqa8VrV5/tiM0LVV5JOS3qGzu6dC/Y5So7xC qFsN1evJnNCSEbNtosHYJfpLGdJapVH2NXByHYmSF+4g452n9kkdoDKXGcdbHjTr4X EFp9UApc10SEaFxGSsrUlmorzRi8dSyk2LRsi+lE= From: =?utf-8?Q?Toke_H=C3=B8iland-J=C3=B8rgensen?= To: Simon Kelley References: <532DD9DD.8040301@thekelleys.org.uk> Date: Sat, 22 Mar 2014 20:38:48 +0100 In-Reply-To: <532DD9DD.8040301@thekelleys.org.uk> (Simon Kelley's message of "Sat, 22 Mar 2014 18:43:41 +0000") Message-ID: <871txut453.fsf@alrua-x1.karlstad.toke.dk> Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Cc: cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] DNSSEC & NTP Bootstrapping X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Mar 2014 19:39:01 -0000 --=-=-= Content-Type: text/plain Simon Kelley writes: > One possibility would be to store the current time in NVRAM. When the > router comes up, that gives a lower bound on the current time, and > would solve attacks using old keys. This is already implemented (basically it finds the most recently modified file in /etc and sets the time to that; I think there's also a script that periodically refreshes some file there), and works to keep time during a reboot. However, when first flashing an image, the time will be whatever time that image was created... > Less drastic would be to disable the key-time checks for this phase. > Simplest would be a config flag: start it up with that flag whilst NTP > does its stuff, them restart without when the clock is OK. Another > option would be to disable the checks when the query arrives from a > "magic" loopback address: maybe 127.110.116.112 (127.'n'.'t'.'p') The magic address would require the resolver and/or the ntp daemon to be patched? What about a config option that adds a grace time? Say enable dnssec after N seconds? -Toke --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBCAAGBQJTLebIAAoJEENeEGz1+utPkNAH/2z3Y3Dp3DRGG7EB44fVPsyd CC66KJHvvM8ufxNAQnG+BolszBaKMHzB/A2ZDZ1YuKkFkgtufWi36D92uQFGSHEy xrl0a5OPIwXYcf3Kcs8iROg3wDKr5RXl4hhK4GzrIyKrH/wU8qy/haWNshZcaXrc g0PHx3SyskekTO4qR6rCFNmC9/Q/UXIyq7hF2lwGQjz1MK2frmxjoMDyIP4VpufN CJtPOzNRrcGEbgbi5evFGUQUMt8ah2aGTAgk9L8mbu36N44ZbKbpvO04R7lKAwrT VDDQC13gxt8GhtEyN+z6vXt+qSwaBoHNjkr5RVCfGyAbMBsCjPAYJj89Z4fJoQI= =2Bj/ -----END PGP SIGNATURE----- --=-=-=--